touch-packages team mailing list archive

Thread
Date

[Bug 1393515] Re: browser allows browsing the phone filesystem

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Tue, 18 Nov 2014 14:23:07 -0000
Reply-to: Bug 1393515 <1393515@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Without this fix, the other protections made in the file manager and
elsewhere are meaningless.

** Description changed:

- using a URL like: file:/// gets you to the root of the phone filesystem
+ Using a URL like: file:/// gets you to the root of the phone filesystem
  ... i assume this is not actually desired since we even block the
  filemanager app to go higher up then $HOME without requiring a password.
+ 
+ The webbrowser-app should either behave like the file-manager (see bug
+ #1347010 for details) or file:/// should be disabled altogether on the
+ phone.

** Description changed:

  Using a URL like: file:/// gets you to the root of the phone filesystem
  ... i assume this is not actually desired since we even block the
  filemanager app to go higher up then $HOME without requiring a password.
  
- The webbrowser-app should either behave like the file-manager (see bug
- #1347010 for details) or file:/// should be disabled altogether on the
- phone.
+ The webbrowser-app should either:
+  * behave like the file-manager (see bug #1347010 for details)
+  * file:/// should be disabled altogether on the phone
+  * webbrowser-app should run confined which would force the use of
+    content-hub by limiting file:/// access to those paths allowed by
+    policy

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1393515

Title:
  browser allows browsing the phone filesystem

Status in “webbrowser-app” package in Ubuntu:
  Confirmed
Status in “webbrowser-app” package in Ubuntu RTM:
  Confirmed

Bug description:
  Using a URL like: file:/// gets you to the root of the phone
  filesystem ... i assume this is not actually desired since we even
  block the filemanager app to go higher up then $HOME without requiring
  a password.

  The webbrowser-app should either:
   * behave like the file-manager (see bug #1347010 for details)
   * file:/// should be disabled altogether on the phone
   * webbrowser-app should run confined which would force the use of
     content-hub by limiting file:/// access to those paths allowed by
     policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1393515/+subscriptions

References

[Bug 1393515] [NEW] browser allows browsing the phone filesystem
From: Oliver Grawert, 2014-11-17